feat: blocklist table with registration check endpoint
- is_blocked BOOLEAN (default true), INET type for IP validation - Indexes on email/username/phone/ip for fast registration checks - POST /api/blocklist/check — checks all fields in one request, returns 403 if blocked - Auto-timestamps on block/unblock, email stored lowercase Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -307,6 +307,34 @@ async function migrate() {
|
||||
)
|
||||
`);
|
||||
|
||||
// blocklist
|
||||
await query(`
|
||||
CREATE TABLE IF NOT EXISTS blocklist (
|
||||
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
||||
is_blocked BOOLEAN NOT NULL DEFAULT true,
|
||||
username TEXT,
|
||||
email TEXT,
|
||||
phone TEXT,
|
||||
ip INET,
|
||||
blocked_at TIMESTAMPTZ,
|
||||
unblocked_at TIMESTAMPTZ,
|
||||
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
||||
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
|
||||
)
|
||||
`);
|
||||
|
||||
await query(`
|
||||
DROP TRIGGER IF EXISTS blocklist_updated_at ON blocklist;
|
||||
CREATE TRIGGER blocklist_updated_at
|
||||
BEFORE UPDATE ON blocklist
|
||||
FOR EACH ROW EXECUTE FUNCTION update_updated_at()
|
||||
`);
|
||||
|
||||
await query(`CREATE INDEX IF NOT EXISTS blocklist_email_idx ON blocklist (lower(email)) WHERE email IS NOT NULL`);
|
||||
await query(`CREATE INDEX IF NOT EXISTS blocklist_username_idx ON blocklist (lower(username)) WHERE username IS NOT NULL`);
|
||||
await query(`CREATE INDEX IF NOT EXISTS blocklist_phone_idx ON blocklist (phone) WHERE phone IS NOT NULL`);
|
||||
await query(`CREATE INDEX IF NOT EXISTS blocklist_ip_idx ON blocklist (ip) WHERE ip IS NOT NULL`);
|
||||
|
||||
console.log('Migration complete');
|
||||
}
|
||||
|
||||
|
||||
@@ -31,6 +31,7 @@ app.use('/api/objects', auth, require('./routes/objects'));
|
||||
app.use('/api/pairs', auth, require('./routes/pairs'));
|
||||
app.use('/api/questions', auth, require('./routes/questions'));
|
||||
app.use('/api/statements', auth, require('./routes/statements'));
|
||||
app.use('/api/blocklist', auth, require('./routes/blocklist'));
|
||||
|
||||
// 404
|
||||
app.use((req, res) => {
|
||||
|
||||
112
src/routes/blocklist.js
Normal file
112
src/routes/blocklist.js
Normal file
@@ -0,0 +1,112 @@
|
||||
const router = require('express').Router();
|
||||
const { query } = require('../db');
|
||||
|
||||
// GET /api/blocklist
|
||||
router.get('/', async (req, res, next) => {
|
||||
try {
|
||||
const { is_blocked, limit = 50, offset = 0 } = req.query;
|
||||
const params = [Math.min(parseInt(limit), 500), parseInt(offset)];
|
||||
const where = is_blocked !== undefined ? `WHERE is_blocked = $3` : '';
|
||||
if (is_blocked !== undefined) params.push(is_blocked === 'true');
|
||||
const result = await query(
|
||||
`SELECT * FROM blocklist ${where} ORDER BY created_at DESC LIMIT $1 OFFSET $2`,
|
||||
params
|
||||
);
|
||||
res.json(result.rows);
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
// GET /api/blocklist/:id
|
||||
router.get('/:id', async (req, res, next) => {
|
||||
try {
|
||||
const result = await query('SELECT * FROM blocklist WHERE id = $1', [req.params.id]);
|
||||
if (!result.rows.length) return res.status(404).json({ error: 'Not found' });
|
||||
res.json(result.rows[0]);
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
// POST /api/blocklist/check — Registrierungs-Check
|
||||
router.post('/check', async (req, res, next) => {
|
||||
try {
|
||||
const { username, email, phone, ip } = req.body;
|
||||
if (!username && !email && !phone && !ip)
|
||||
return res.status(400).json({ error: 'Provide at least one field to check' });
|
||||
|
||||
const conditions = [];
|
||||
const params = [];
|
||||
if (email) { params.push(email.toLowerCase()); conditions.push(`lower(email) = $${params.length}`); }
|
||||
if (username) { params.push(username.toLowerCase()); conditions.push(`lower(username) = $${params.length}`); }
|
||||
if (phone) { params.push(phone); conditions.push(`phone = $${params.length}`); }
|
||||
if (ip) { params.push(ip); conditions.push(`ip = $${params.length}`); }
|
||||
|
||||
const result = await query(
|
||||
`SELECT id, is_blocked, username, email, phone, ip FROM blocklist
|
||||
WHERE is_blocked = true AND (${conditions.join(' OR ')})
|
||||
LIMIT 1`,
|
||||
params
|
||||
);
|
||||
|
||||
if (result.rows.length) {
|
||||
return res.status(403).json({ blocked: true, matched: result.rows[0] });
|
||||
}
|
||||
res.json({ blocked: false });
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
// POST /api/blocklist — Eintrag anlegen
|
||||
router.post('/', async (req, res, next) => {
|
||||
try {
|
||||
const { username, email, phone, ip } = req.body;
|
||||
if (!username && !email && !phone && !ip)
|
||||
return res.status(400).json({ error: 'Provide at least one of: username, email, phone, ip' });
|
||||
|
||||
const result = await query(
|
||||
`INSERT INTO blocklist (username, email, phone, ip, blocked_at)
|
||||
VALUES ($1, $2, $3, $4, NOW()) RETURNING *`,
|
||||
[username || null, email ? email.toLowerCase() : null, phone || null, ip || null]
|
||||
);
|
||||
res.status(201).json(result.rows[0]);
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
// PATCH /api/blocklist/:id — blockieren / entsperren
|
||||
router.patch('/:id', async (req, res, next) => {
|
||||
try {
|
||||
const allowed = ['is_blocked', 'username', 'email', 'phone', 'ip', 'blocked_at', 'unblocked_at'];
|
||||
const fields = Object.keys(req.body).filter(k => allowed.includes(k));
|
||||
if (!fields.length) return res.status(400).json({ error: 'No valid fields provided' });
|
||||
|
||||
// Auto-timestamps bei is_blocked Wechsel
|
||||
if (req.body.is_blocked === true && !req.body.blocked_at) {
|
||||
fields.push('blocked_at');
|
||||
req.body.blocked_at = new Date().toISOString();
|
||||
}
|
||||
if (req.body.is_blocked === false && !req.body.unblocked_at) {
|
||||
fields.push('unblocked_at');
|
||||
req.body.unblocked_at = new Date().toISOString();
|
||||
}
|
||||
|
||||
// Email normalisieren
|
||||
if (req.body.email) req.body.email = req.body.email.toLowerCase();
|
||||
|
||||
const setClauses = fields.map((f, i) => `${f} = $${i + 1}`).join(', ');
|
||||
const values = [...fields.map(f => req.body[f]), req.params.id];
|
||||
const result = await query(
|
||||
`UPDATE blocklist SET ${setClauses} WHERE id = $${fields.length + 1} RETURNING *`,
|
||||
values
|
||||
);
|
||||
if (!result.rows.length) return res.status(404).json({ error: 'Not found' });
|
||||
res.json(result.rows[0]);
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
// DELETE /api/blocklist/:id
|
||||
router.delete('/:id', async (req, res, next) => {
|
||||
try {
|
||||
const result = await query('DELETE FROM blocklist WHERE id = $1 RETURNING id', [req.params.id]);
|
||||
if (!result.rows.length) return res.status(404).json({ error: 'Not found' });
|
||||
res.status(204).end();
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
module.exports = router;
|
||||
Reference in New Issue
Block a user